This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
This posting is here to collect cyber security news in March 2022.
I post links to security vulnerability news to comments of this article.
You are also free to post related links to comments.
888 Comments
Tomi Engdahl says:
Chinese APT Hackers Targeting Betting Companies in Southeast Asia https://thehackernews.com/2022/03/chinese-apt-hackers-targeting-betting.html
A Chinese-speaking advanced persistent threat (APT) has been linked to a new campaign targeting gambling-related companies in South East Asia, particularly Taiwan, the Philippines, and Hong Kong. Lisäksi:
https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/
Tomi Engdahl says:
HubSpot Data Breach Ripples Through Crytocurrency Industry https://threatpost.com/hubspot-data-breach-crytocurrency-industry/179086/
A rogue employee working at HubSpot used by more than 135, 000 (and
growing) customers to manage marketing campaigns and on-board new users has been fired over a breach that zeroed in on the company’s cryptocurrency customers, the company confirmed on Friday.
Tomi Engdahl says:
Poliisi varoittaa: Ethän lähde mukaan rikolliseen verkkotoimintaan edes kriisitilanteessa https://poliisi.fi/blogi/-/blogs/poliisi-varoittaa-ethan-lahde-mukaan-rikolliseen-verkkotoimintaan-edes-kriisitilanteessa
Poliisin tietojen ja havaintojen mukaan Ukrainan tilanne on synnyttänyt ilmiön, jossa verkon käyttäjät ovat alkaneet tehdä verkkorikoksia niitä toimijoita kohtaan, joiden katsotaan liittyvän Venäjän hyökkäykseen tai tukevan sitä. Haluamme muistuttaa, että oli motiivi mikä tahansa, se ei oikeuta lain rikkomiseen.
Tomi Engdahl says:
Russian nationals charged for alleged roles in DragonFly and Triton hacks https://www.zdnet.com/article/russian-nationals-charged-for-alleged-roles-in-dragonfly-and-triton-hacks
Four Russian nationals who worked for the Russian government were charged with two sets of US indictments last year for their alleged role in hacks performed by the DragonFly and Triton groups, which both targeted critical infrastructure around the world. Lisäksi:
https://www.is.fi/digitoday/tietoturva/art-2000008706983.html
Tomi Engdahl says:
Huoltovarmuuden tilannekuva: Ukrainan sodalla suoria ja epäsuoria vaikutuksia https://www.huoltovarmuuskeskus.fi/a/huoltovarmuuden-tilannekuva-ukrainan-sodalla-suoria-ja-epasuoria-vaikutuksia
Ukrainan sota ei ole toistaiseksi aiheuttanut merkittäviä huoltovarmuusvaikutuksia Suomessa. Logistiikassa tilanne on aiempaa vaikeammin ennustettava. Myös pakotteiden ja vastapakotteiden muutokset ovat nopeita sekä niiden vaikutukset voivat jatkossa aiheuttaa tilapäisiä häiriöitä huoltovarmuuteen.
Tomi Engdahl says:
Researchers tie Ukraine cyber intrusion attempt to suspected Chinese threat actor Scarab’
https://therecord.media/researchers-tie-ukraine-cyber-intrusion-attempt-to-suspected-chinese-threat-actor-scarab/
Ukraine’s Computer Emergency Response Team (CERT-UA) published evidence this week indicating that Chinese threat actors are targeting their systems publicly for the first time since Russia invaded Ukraine. Lisäksi: https://cert.gov.ua/article/38097
Tomi Engdahl says:
Russia hacked Ukrainian satellite communications, officials believe
https://www.bbc.com/news/technology-60796079
Western intelligence agencies have been investigating the incident and while they have not yet made a public accusation, they believe Russia was behind it.
Tomi Engdahl says:
URL rendering trick enabled WhatsApp, Signal, iMessage phishing https://www.bleepingcomputer.com/news/security/url-rendering-trick-enabled-whatsapp-signal-imessage-phishing/
A rendering technique affecting the world’s leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, allowed threat actors to create legitimate-looking phishing messages for the past three years. Lisäksi:
https://sick.codes/sick-2022-40/
Tomi Engdahl says:
Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison https://krebsonsecurity.com/2022/03/estonian-tied-to-13-ransomware-attacks-gets-66-months-in-prison/
An Estonian man was sentenced today to more than five years in a U.S.
prison for his role in at least 13 ransomware attacks that caused losses of approximately $53 million. Prosecutors say the accused also enjoyed a lengthy career of “cashing out” access to hacked bank accounts worldwide.
Tomi Engdahl says:
Hackers remotely start, unlock Honda Civics with $300 tech https://www.theregister.com/2022/03/25/honda_civic_hack/
If you’re driving a Honda Civic manufactured between 2016 and 2020, this newly reported key fob hijack should start your worry engine.
Tomi Engdahl says:
Racoon Stealer malware suspends operations due to war in Ukraine https://www.bleepingcomputer.com/news/security/racoon-stealer-malware-suspends-operations-due-to-war-in-ukraine/
The cybercrime group behind the development of the Racoon Stealer password-stealing malware has suspended its operation after claiming that one of its developers died in the invasion of Ukraine.
Tomi Engdahl says:
HackerOne kicks Kaspersky’s bug bounty program off its platform https://www.bleepingcomputer.com/news/security/hackerone-kicks-kaspersky-s-bug-bounty-program-off-its-platform/
Bug bounty platform HackerOne disabled Kaspersky’s bug bounty program on Friday following sanctions imposed on Russia and Belarus after the invasion of Ukraine.
Tomi Engdahl says:
Crypto malware in patched wallets targeting Android and iOS devices https://www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices/
ESET Research uncovers a sophisticated scheme that distributes trojanized Android and iOS apps posing as popular cryptocurrency wallets. Lisäksi:
https://thehackernews.com/2022/03/experts-uncover-campaign-stealing.html
Tomi Engdahl says:
US says Kaspersky poses unacceptable risk to national security https://www.bleepingcomputer.com/news/security/us-says-kaspersky-poses-unacceptable-risk-to-national-security/
The Federal Communications Commission (FCC) added Russian cybersecurity firm Kaspersky to its Covered List, saying it poses unacceptable risks to U.S. national security.
Tomi Engdahl says:
Western Digital patches Samba bug giving root on My Cloud devices https://www.bleepingcomputer.com/news/security/western-digital-patches-samba-bug-giving-root-on-my-cloud-devices/
Western Digital has fixed a critical severity vulnerability that enabled attackers to gain remote code execution with root privileges on unpatched My Cloud OS 5 devices.
Tomi Engdahl says:
Critical Sophos Firewall vulnerability allows remote code execution https://www.bleepingcomputer.com/news/security/critical-sophos-firewall-vulnerability-allows-remote-code-execution/
Sophos has fixed a critical vulnerability in its Sophos Firewall product that allows remote code execution (RCE). Tracked as CVE-2022-1040, the authentication bypass vulnerability exists in the User Portal and Webadmin areas of Sophos Firewall.
Tomi Engdahl says:
Purple Fox Uses New Arrival Vector and Improves Malware Arsenal https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html
This most recent investigation covers Purple Fox’s new arrival vector and the early access loaders we believe are associated with the intrusion set behind this botnet. Our data shows that users’ machines are targeted via trojanized software packages masquerading as legitimate application installers.
Tomi Engdahl says:
News and updates from the Project Zero team at Google https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting-tiny.html
Racing against the clock — hitting a tiny kernel race window
Tomi Engdahl says:
Okta: “We made a mistake” delaying the Lapsus$ hack disclosure https://www.bleepingcomputer.com/news/security/okta-we-made-a-mistake-delaying-the-lapsus-hack-disclosure/
Okta has admitted that it made a mistake delaying the disclosure of hack from the Lapsus$ data extortion group that took place in January.
Tomi Engdahl says:
Google Issues Emergency Fix for Chrome Zero-Day
https://www.securityweek.com/google-issues-emergency-fix-chrome-zero-day
Tomi Engdahl says:
North Korea Gov Hackers Caught Sharing Chrome Zero-Day
https://www.securityweek.com/north-korea-gov-hackers-caught-sharing-chrome-zero-day
Malware hunters at Google have spotted signs that North Korean government hackers are sharing zero-day browser exploits for use in waves of targeted attacks hitting U.S. news media, crypto-banks and IT organizations.
According to new data published by Google’s TAG (Threat Analysis Group), two distinct North Korean hacker groups separately used a Chrome browser zero-day flaw in organized malware campaigns.
The Chrome vulnerability in question – CVE-2022-0609 – was patched by Google last month with the company issuing a barebones advisory to warn of the zero-day in-the-wild exploitation.
Tomi Engdahl says:
The Chaos (and Cost) of the Lapsus$ Hacking Carnage
https://www.securityweek.com/chaos-and-cost-lapsus-hacking-carnage
NEWS ANALYSIS: Security experts say the Lapsus$ gang’s “extortion and destruction” hacking spree is the work of an amateur gang allegedly led by a British teenager. What does this say about the state of cybersecurity?
The timing for Lapsus$ attacks couldn’t possibly be worse.
As enterprise network defenders absorbed warnings about cyberwar and confirmed reports of nation-state wiper and ransomware attacks, the Lapsus$ hacking gang stormed into public view with taunts and evidence of data-theft hacks against prominent brands NVIDIA, Samsung and Ubisoft.
Later, Microsoft and Okta would be dragged into the victim pool with Redmond publicly documenting “a large-scale social engineering and extortion campaign” and Okta badly botching its communications with customers on the extent of its breach.
The chaos — and ongoing controversies — caused by Lapsus$ (Microsoft calls them DEV-0537) is confirmation that attack surfaces and third-party vendor dependencies expose attack surfaces that are near impossible to defend. Worse, it confirms that even the most well-resourced organizations with the best security talent can fall victim to skilled, motivated attackers.
Microsoft’s blog post on Lapsus$ tells the story of a loosely organized group leaving a trail of destruction after successful hacking attacks against multiple organizations around the world.
“[The group is] known for using a pure extortion and destruction model without deploying ransomware payloads,” Microsoft warned in a note acknowledging its own systems were compromised in the high-profile raids.
Tomi Engdahl says:
VMware Patches Critical Vulnerabilities in Carbon Black App Control
https://www.securityweek.com/vmware-patches-critical-vulnerabilities-carbon-black-app-control
VMware this week announced software updates that address two critical-severity vulnerabilities in its Carbon Black App Control product.
An application allow listing solution, Carbon Black App Control allows security teams to secure enterprise systems by locking them down to prevent unwanted changes, and to maintain continuous compliance.
Tracked as CVE-2022-22951, the first of the two security holes is an OS command injection issue that could lead to remote code execution. The flaw exists because user input isn’t properly validated.
An attacker looking to exploit the bug needs to be authenticated as a high-privileged user and requires network access to the App Control interface in order to execute commands on the server.
Tomi Engdahl says:
Näin pankit suojautuvat kyberiskuilta Suomessa: ”Yksi henkilö ei pääse räjäyttämään koko pankin asioita”
Pankki- ja vakuutuspalvelut ovat yhteiskunnalle välttämättömiä ja siksi ne ovat houkutteleva kohde tietoverkkojen kautta tapahtuville hyökkäyksille.
https://www.iltalehti.fi/kotimaa/a/cdeacf59-43d3-4fa6-b41c-acc300bd63ea
Tomi Engdahl says:
Sophos fixes critical hijack flaw in firewall offering
Authentication bypass followed by remote-code execution at the network boundary
https://www.theregister.com/2022/03/28/sophos-firewall-rce-vulnerability/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/critical-sonicwall-firewall-patch-not-released-for-all-devices/
Tomi Engdahl says:
CISA: Here are 66 more security flaws actively being used by hackers – so get patching
Such flaws are a frequent attack vector, warns security agency.
https://www.zdnet.com/article/cisa-here-are-66-more-security-flaws-actively-being-used-by-hackers-so-get-patching/
Tomi Engdahl says:
Hive ransomware ports its Linux VMware ESXi encryptor to Rust
https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/url-rendering-trick-enabled-whatsapp-signal-imessage-phishing/
Tomi Engdahl says:
Hackers weigh in on programming languages of choice
Small, self-described sample, sure. But results show shifts over time
https://www.theregister.com/2022/03/24/hacker_language_study/
Tomi Engdahl says:
Adafruit Doubles Security to Prevent Raspberry Pi Bot Sales
By Ian Evenden published 3 days ago
Two-factor all the way
https://www.tomshardware.com/news/adafruit-two-factor-security-for-raspberry-pi
Tomi Engdahl says:
https://reconshell.com/bug-bounty-tools/
Tomi Engdahl says:
23-Year-Old Russian Hacker Wanted by FBI for Running Marketplace of Stolen Logins
https://thehackernews.com/2022/03/23-year-old-russian-hacker-wanted-by.html
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/public-redis-exploit-used-by-malware-gang-to-grow-botnet/
Tomi Engdahl says:
https://www.makeuseof.com/microsoft-bing-source-code-leak/
Tomi Engdahl says:
Using just a laptop, an encryption code designed to prevent a quantum computer attack was cracked in just 53 hours
Tech institutions are trying to find ways to guarantee security as new processing systems becoming increasingly sophisticated
https://english.elpais.com/science-tech/2022-03-24/using-just-a-laptop-an-encryption-code-designed-to-prevent-a-quantum-computer-attack-was-cracked-in-just-53-hours.html
Tomi Engdahl says:
This browser-in-browser attack is perfect for phishing
If you’re involved in malvertising, please don’t read this. We don’t want to give you ideas
https://www.theregister.com/2022/03/18/browser_in_browser_phishing/
A novel way of tricking people out of their passwords has left us wondering if there’s a need to rethink how much we trust our web browsers to protect us and to accelerate efforts to close web security gaps.
Earlier this week, an infosec researcher known as mr.d0x described a browser-in-the-browser (BitB) attack. It’s a way to steal login credentials by simulating the little browser windows that Google, Microsoft, and other authentication service providers pop up that ask you for your username and password to continue. You’ve probably seen these windows: you click on something like a “Sign in with Microsoft” button on a website, and popup appears asking for your credentials to access your account or profile.
https://mrd0x.com/browser-in-the-browser-phishing-attack/
Tomi Engdahl says:
Isku hakkerijengiä vastaan: 7 pidätetty, mukana alaikäisiä https://www.is.fi/digitoday/tietoturva/art-2000008712491.html
Tomi Engdahl says:
When Nokia Pulled Out of Russia, a Vast Surveillance System Remained https://www.nytimes.com/2022/03/28/technology/nokia-russia-surveillance-system-sorm.html
Nokia said this month that it would stop its sales in Russia and denounced the invasion of Ukraine. But the Finnish company didn’t mention what it was leaving behind: equipment and software connecting the government’s most powerful tool for digital surveillance to the nation’s largest telecommunications network.
Nokia responds to New York Times article of March 28 on lawful interception
https://www.nokia.com/about-us/newsroom/statements/nokia-statement-on-new-york-times/
The New York Times, in its article of March 28, makes claims regarding Nokia’s role in Russia’s lawful intercept system, also known by the abbreviation SORM. Nokia believes this article is misleading. As Nokia has made clear to The New York Times, Nokia does not manufacture, install or service SORM equipment or systems. Any suggestions that we do, are incorrect.
Tomi Engdahl says:
Breaking|Mar 28, 2022, 12:40pm EDT
https://www.forbes.com/sites/thomasbrewster/2022/03/28/huge-cyberattack-on-ukrtelecom-biggest-since-russian-invasion-crashes-ukraine-telecom/
Most Severe’ Cyberattack Since Russian Invasion Crashes Ukraine Internet Provider. A “powerful” cyberattack has hit Ukraine’s biggest fixed line telecommunications company, Ukrtelecom.
Tomi Engdahl says:
Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA
https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/
Not all MFA is created equal, as script kiddies and elite hackers have shown recently.
Tomi Engdahl says:
Hive ransomware ports its Linux VMware ESXi encryptor to Rust https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/
The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victim’s ransom negotiations.
Tomi Engdahl says:
New Windows security feature blocks vulnerable drivers
https://www.bleepingcomputer.com/news/microsoft/new-windows-security-feature-blocks-vulnerable-drivers/
Microsoft now allows Windows users to block drivers with known vulnerabilities with the help of Windows Defender Application Control
(WDAC) and a vulnerable driver blocklist. Lisäksi:
https://www.zdnet.com/article/microsoft-is-adding-a-new-driver-blocklist-feature-to-windows-defender-on-windows-10-and-11/
Tomi Engdahl says:
Russia facing internet outages due to equipment shortage https://www.bleepingcomputer.com/news/technology/russia-facing-internet-outages-due-to-equipment-shortage/
Russia’s RSPP Commission for Communications and IT, the country’s largest entrepreneurship union, has warned of imminent large-scale service Internet service outages due to the lack of available telecom equipment.
Tomi Engdahl says:
Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability https://thehackernews.com/2022/03/muhstik-botnet-targeting-redis-servers.html
Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system.
Tomi Engdahl says:
1, 000-plus AI-generated LinkedIn faces uncovered https://www.theregister.com/2022/03/28/ai_fake_linkedin_faces/
Two Stanford researchers have fallen down a LinkedIn rabbit hole, finding over 1, 000 fake profiles using AI-generated faces at the bottom.
Tomi Engdahl says:
Researchers Hack Remote Keyless System of Honda Vehicles
https://www.securityweek.com/researchers-hack-remote-keyless-system-honda-vehicles
A researcher has published proof-of-concept (PoC) videos to demonstrate how an attacker can remotely unlock the doors of a Honda vehicle, or even start its engine.
The attack is possible because of a vulnerability in the car manufacturer’s remote keyless system (CVE-2022-27254) that appears to impact all Honda Civic (LX, EX, EX-L, Touring, Si, and Type R) models between 2016 and 2020.
The issue is that the same unencrypted radio frequency (RF) signal is sent for commands to unlock/lock doors, open the boot, or start the engine remotely, Ayyappan Rajesh, a student at University of Massachusetts Dartmouth, explained.
Because of that, an attacker in a man-in-the-middle position could eavesdrop on the request and then use it to launch a replay attack.
Basically, if the attacker is located near a vulnerable vehicle, they can record the remote signal sent by the car owner to wirelessly open and start the vehicle, and later perform the same action by themselves.
https://github.com/nonamecoder/CVE-2022-27254
Tomi Engdahl says:
Checkmarx Finds Threat Actor ‘Fully Automating’ NPM Supply Chain Attacks
https://www.securityweek.com/checkmarx-finds-threat-actor-fully-automating-npm-supply-chain-attacks
Threat hunters at Checkmarx on Monday raised an alarm after discovering a threat actor fully automating the creation and delivery of “hundreds of malicious packages” into the NPM ecosystem.
The Checkmarx warning comes on the heels of Snyk’s discovery of “deliberate sabotage” of NPM package managers and raises new concerns about the software supply chain threat landscape.
According to an advisory from Checkmarx, a threat actor flagged as RED-LILI has “fully automated” the process of NPM account creation to launch difficult-to-detect dependency confusion attacks.
“Customarily, attackers use an anonymous disposable NPM account from which they launch their attacks. As it seems this time, the attacker has fully-automated the process of NPM account creation and has opened dedicated accounts, one per package, making his new malicious packages batch harder to spot,” said Jossef Harush, head of Checkmarx’s supply chain security engineering group.
Software Supply Chain Weakness: Snyk Warns of ‘Deliberate Sabotage’ of NPM Ecosystem
https://www.securityweek.com/software-supply-chain-weakness-snyk-warns-deliberate-sabotage-npm-ecosystem
Tomi Engdahl says:
Estonian Ransomware Operator Sentenced to Prison in US
https://www.securityweek.com/estonian-ransomware-operator-sentenced-prison-us
Tomi Engdahl says:
German Authorities Seize Spyware Firm FinFisher’s Accounts
https://www.securityweek.com/german-authorities-seize-spyware-firm-finfishers-accounts
German authorities have seized accounts belonging to the spyware company FinFisher amid an investigation into whether it broke export laws by selling its products to authoritarian governments.
Munich prosecutors confirmed Monday that the company’s accounts were impounded, though the measure will have no immediate effect because FinFisher is undergoing insolvency proceedings.
Human rights groups accuse the Munich-based company of supplying Turkey, Egypt and Myanmar with trojan software known as FinSpy that could be used to eavesdrop on dissidents.
The European Center for Constitutional and Human Rights and others argue that exporting such software outside the European Union requires prior authorization, which was not issued.
https://www.securityweek.com/finspy-surveillance-spyware-fitted-uefi-bootkit